I was involved with the card reader upgrades at McDonald’s in the US. Essentially the card readers were stripped out of the main network and all buildings were rewired With a physically segregated network for cashless transactions.
Registers placed orders to the main routing Server in the back which passed the information to each individual station for fulfillment. The only time the card reader is involved is when the register makes a request to the cashless processing appliance in the back office then it reaches out to the card reader on the segregated network.
I worked at a POS vendor who did this kind of thing internal to the device. We had a bunch of robots (they looked like 3d printers with a stylus instead of a print head) testing the payment flows because none of the android test tools could interface with that part of the device.
It was kind of impressive, but also kind of funny because the secrets we were protecting are symmetric and printed on the card for anyone to see.
I'm surprised the stripe is still added to cards these days. The chip broke on my mums card around 10 years ago and although the card readers had strip readers, they would often refuse to use it. Seem to remember some requiring a few failed chip uses before allowing magnetic strip.
Depends in what part of the world you’re in. In Europe I wouldn’t really expect anyone to accept magstripe on card with a chip, but in the US it’s more common.
Additionally terminals can be configured to detect dodgy chips and automatically fall back magstripe, or a more basic form of processing. But your bank may block these transactions, because they can’t perform chargebacks on them, they’re considered as “secure/good as” Chip and PIN transactions by the card network for merchants in some parts of the worlds (e.g. the US). So if a fraudulent transaction was performed that way, the bank would have to eat the entire cost themselves.
I think that actually made more sense. In a power outage the bumps were the only backup. I had seen it used once at a petrol station. While there is close to no situation where a chip payment or nfc couldn’t be used.
Only for ATM transactions. It’ll still work for normal transactions at a POS device, but they’re lower risk for the bank as it’s easy to perform chargebacks and recover the money
That’s correct and stripes are mostly used as a fall back now a days, if at all. Merchants are reluctant to use stripe because in case of chargeback of a striped payment the liability shifts to the merchant, no question asked. That’s how the payment networks got merchants to migrate to use chip based authentication.
The biggest reason in the US is the cost of replacing gas station pump payment terminals. They held back going "full" EMV (no stripe at all) for many years.
But if a human can take a picture of the card and create online transactions based on that image, the necessary secrets are leaked anyhow. Secure the chip all you want, until we stop using shared symmetric secrets to authorize spend it won't really matter.
This matches something the startup I worked at discover when installing power monitoring equipment in restaurants. We initially weren’t PCI compliant but it didn’t matter because we always installed on the network that didn’t process credit card info. Just one potential customer asked us about this…
I’d say so. Also there was effectively no troubleshooting in the store you could do. Aside from unplugging and replugging the appliance and terminals it was all under a very strict service contract. Too many terminals down or the appliance that processes transaction and a tech had to be out in 8 hours regardless of time of day to service.
And really, the worst exploit I fathomed you could do would be... changing the IP address on two PEDs to swap what lanes they were on (so register 2's pad would be really being used for register 3 and vice versa).
What was your experience like and where did it lead you? For me it was part of the wake up call that showed me to the door. Being OTP for 14 Stores and GM for 1 was what pushed me over the edge.
Registers placed orders to the main routing Server in the back which passed the information to each individual station for fulfillment. The only time the card reader is involved is when the register makes a request to the cashless processing appliance in the back office then it reaches out to the card reader on the segregated network.